slow lookup to non-existent host

Mark Andrews marka at isc.org
Mon Oct 18 00:44:09 UTC 2010 

In message <barmar-63054E.22484615102010 at reserved-multicast-range-not-delegated.example.com>, Barry Margo
lin writes:
> In article <mailman.490.1287172931.555.bind-users at lists.isc.org>,
>  Eric Ritchie <eritchie at interactivebrokers.com> wrote:
> 
> >   When doing a nslookup of a non-existent host on the same network as 
> > the bind servers, there is a delay. If I do the same nslookup from a 
> > host on a different network, the response is immediate.
> 
> My guess is that the server allows recursion for clients on the same 
> network, but doesn't allow it for clients on a different network.  But 
> there's something blocking its ability to recurse.

You have two problem.

1. You don't have allow-recursion set to allow all your recursive
   clients to recurse.  When your off net clients try to recurse
   they get REFUSED.  This is why you get "quick" responses.
   The default for allow-recursion is "{ localnets; localhost; };"

2. When you do attempt to recurse on behalf of the local clients
   you can't reach the root servers.  This results in a timeout.
   I would be looking for a mis-configured firewall.

> > host a is on the same network as bind servers, host b is on different 
> > network:
> > 
> > hostb$ nslookup dev600
> > Server:         131.210.30.200
> > Address:        131.210.30.200#53
> > 
> > ** server can't find dev600: REFUSED
>
> > hosta $ nslookup dev600
> > ;; connection timed out; no servers could be reached
> > 
> > tcpdump on server:
> > 15:53:38.535453 IP hosta.ibg.28346>  bindsrv.domain:  36663+ A? dev600.ibg. 
> > (28)
> > 15:53:38.535582 IP bindsrv.domain>  hosta.ibg.28346:  36663 NXDomain* 0/1/0 
> > (75)
> > 15:53:38.535834 IP hosta.ibg.23719>  bindsrv.domain:  44929+ A? dev600. (24)
> > 
> > 
> > 15:53:21.233381 IP hostb.ibg.51921>  bindsrv.domain:  38869+ A? dev600.ibg. 
> > (28)
> > 15:53:21.233750 IP bindsrv.domain>  hostb.ibg.51921:  38869 NXDomain*- 0/1/0 
> > (75)
> > 15:53:21.234022 IP hostb.ibg.43283>  bindsrv.domain:  41973+ A? dev600. (24)
> > 15:53:21.234181 IP bindsrv.domain>  hostb.ibg.43283:  41973 Refused- 0/0/0 
> > (24)
> > 
> > 
> > We have several locations with similar setups and all see the same 
> > issue. They are running different versions also, one is 9.4.2 and one is 
> > 9.7.0-P1. The /etc/resolv.conf file is:
> > 
> > search ibg
> > options rotate
> > options ndots:3
> > nameserver 131.210.30.200
> > nameserver 131.210.30.201
> > nameserver 131.210.30.202
> > nameserver 131.210.30.203
> > 
> > Thanks
> 
> -- 
> Barry Margolin, barmar at alum.mit.edu
> Arlington, MA
> *** PLEASE don't copy me on replies, I'll read them in the group ***
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list